Bug#1037021: marked as done (opensc: CVE-2023-2977)

Wed, 23 Aug 2023 03:27:15 -0700 

Your message dated Wed, 23 Aug 2023 12:23:17 +0200
with message-id <[email protected]>
and subject line Re: opensc: CVE-2023-2977
has caused the Debian Bug report #1037021,
regarding opensc: CVE-2023-2977
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1037021: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037021
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: opensc
Version: 0.23.0-0.2
Severity: important
Tags: security upstream
Forwarded: https://github.com/OpenSC/OpenSC/issues/2785
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for opensc.

CVE-2023-2977[0]:
| A vulnerbility was found in OpenSC. This security flaw cause a buffer
| overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The
| attacker can supply a smart card package with malformed ASN1 context.
| The cardos_have_verifyrc_package function scans the ASN1 buffer for 2
| tags, where remaining length is wrongly caculated due to moved
| starting pointer. This leads to possible heap-based buffer oob read.
| In cases where ASAN is enabled while compiling this causes a crash.
| Further info leak or more damage is possible.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-2977
    https://www.cve.org/CVERecord?id=CVE-2023-2977
[1] https://github.com/OpenSC/OpenSC/issues/2785
[2] 
https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Version: opensc/0.23.0-0.3

--- End Message ---

Reply via email to